Remarks 

In the present response, one claim (23) is canceled. Claims 1-22 and 24-26 are 
presented for examination. 

L Claims Rejection - 35 USC § 112 

The Office Action rejects claim 23 under 35 USC § 112, second paragraph. This 
rejection is moot since claim 23 is canceled. This cancellation is made merely to reduce 
the number of disputes and place the application in a better form for appeal. As such, per 
37 CFR 1.1 16(b), Applicants respectfully ask the Examiner to enter this cancellation. 

11. Claims Rejection (Claims 1-5, 11, 14-22, 25-26) -35 USC § 102(e) 

Claims 1-5, 11, 14-22, and 25-26 are rejected under 35 USC § 102(e) as being 
anticipated by Baker et al. (USPN 6,61 1,498, hereinafter "Baker"). 

A proper rejection of a claim under 35 U.S.C. §102 requires that a single prior art 
reference disclose each element of the claim. See MPEP § 2131, also, W.L. Gore & 
Assoc., Inc, V. GarlocK Inc., Ill F.2d 1540, 220 U.S.P.Q. 303, 313 (Fed. Cir. 1983). 

Claim 1 

Claim 1 is rejected under 35 U.S.C. §102 as allegedly anticipated by Baker. 
Claim 1 recites numerous limitations that are not taught in Baker; examples are discussed 
below. For convenience, claim 1 is reproduced (emphasis added): 

A method for securely transferring data between an agent and an application 
server through a non-secure node comprising: 

(a) establishing a session key between the agent and the application server by 
utilizing a public key of the application server; wherein the public key of the 
application server is embedded in the agent to enable the agent to derive the session 
key; and 

(b) establishing an end-to-end secure connection between the agent and the 
application server by using the session key and by establishing a communication link 
between the application server and the non-secure node by using a relay module. 
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On numerous occasions, claim 1 recites recitations pertaining to an agent. The 
Office Action cites Baker (at Col. 5, lines 60-61) for teaching this limitation. This section 
of Baker teaches a client tier of software on a customer workstation that has "one or more 
downloadable application objects directed to front-end business logic." Baker, thus, 
teaches downloading an application object into a workstation. Baker does not teach an 
agent as recited in claim 1 . 

According to MPEP § 21 1 1 .01, the words of a claim must be given their "plain 
meaning." Webopedia is an online dictionary for computer and internet technology 
definitions. Per Webopedia (see www.webopedia.com ), an agent is defined as: "A 
program that performs some information gathering or processing task in the background. 
Typically, an agent is given a very small and well-defined task." Applicants submit that 
Baker does not teach an agent as recited in claim 1 . 

Applicants admit that Baker uses the word "agent" in the specification. Baker's 
use of the word "agent" does not teach the limitations in claim 1 regarding the term 
agent. For example, claim 1 recites: 

1) securely transferring data between an agent and an application server, 

2) establishing a session key between the agent and the application server, 

3) wherein the public key of the application server is embedded in the agent, 

4) establishing an end-to-end secure connection between the agent and the 
application server. 

For at least these reasons. Applicants respectfully request withdrawal of the 
rejection. 

As an additional example, claim 1 recites that "the public key of the application 
server is embedded in the agent to enable the agent to derive the session key." This 
limitation is not taught in Baker. 

First, Baker (Col 9, lines 10-12) teaches a server to generate a "cookie" that is 
sent to the client. A "cookie" is not a pubHc key. These two terms have entirely different 
meanings to one of ordinary skill in the art. According to MPEP § 21 1 1 .01 , the words of 
a claim must be given their "plain meaning." Per Webopedia (see www.webopedia.com ), 
a cookie is defined as: "A message given to a Web browser by a Web server. The 
browser stores the message in a text file. The message is then sent back to the server each 
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time the browser requests a page from the server." By contrast, a pubHc key is defined as: 
"A cryptographic system that uses two keys - a pubhc key known to everyone and a 
private or secret key known only to the recipient of the message." Thus, Baker does not 
teach "the pubHc key of the application server is embedded in the agent." 

Second, Baker teaches a "cookie" that is sent to the client and then returned to the 
server. Specifically, Baker teaches: 

The preferred embodiment further associates a given 
HTTPS request with a logical session which is initiated and 
tracked by a "cookie jar server" 28 to generate a "cookie" 
which is a unique server-generated key that is sent to the 
client along with each reply to a HTTPS request. The client 
holds the cookie and returns it to the server as part of each 
subsequent HTTPS request. (Col. 9, lines 7-13). 

Claim 1 recites that the public key of the application server is embedded in the 
agent, This limitation is not taught in Baker. Baker teaches a server that sends a cookie to 
a client. Sending a cookie to a client does not teach a public key embedded in an agent. 

Thirdly, claim 1 also recites a public key of the application server embedded in 
the agent to enable the agent to derive the session key. In Baker, the cookie jar server 
generates a cookie and sends it to the client. The client then holds the cookie and sends it 
back to the server. The "cookie" is not embedded in an agent to enable the cookie to 
derive a session key. 

For at least these reasons. Applicants respectfiilly request withdrawal of the 
rejection. 

Thus, the cited art does not teach or suggest each and every limitation of claim 1 . 
All dependent claims that depend from independent claim 1 inherit all limitations of the 
base claim. For at least the reasons given in connection with claim 1, the dependent 
claims are also allowable over Baker. 
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Claim 11 

Claim 1 1 is rejected under 35 U.S.C. §102 as allegedly anticipated by Baker. 
Claim 1 1 recites numerous limitations that are not taught in Baker; examples are 
discussed below. For convenience, claim 1 1 is reproduced (emphasis added): 

The method of securely transferring data between an application server and an 
agent of the application server through a non-secure environment having a web-server 
and the agent, the method comprising: 

a) a user accessing the web -server to download the agent therefrom; wherein the 
agent includes a public key of the application server; 

b) the agent deriving a shared session key with the application server by 
using the public key of the application server, the shared session key for use in 
encrypting and decrypting data to be transferred between the agent and the application 
server; 

c) the application server establishing a connection to the web-server; and 

d) the agent contacting the web server by using a first protocol to send data 
encrypted by the session key to the application server over the connection between the 
web-server and the application server. 

On numerous occasions, claim 1 1 recites recitations pertaining to an agent. Baker 
does not teach the limitations of claim 1 1 regarding the agent. For brevity reasons. 
Applicants provide a few examples. 

As one example, claim 1 1 recites "a user accessing the web-server to download 
the agent therefrom." The Office Action cites Baker (Col. 14, lines 7-10) for teaching this 
limitation. This section is reproduced: 

As shown in FIG. 7, the client desktop systems 630 with 
Internet connectivity have standard browsers executing 
Java applets, hereinafter referred to also as a client GUI 
application, downloaded from the web server 632. 

This section of Baker teaches that a desktop can download a GUI application 
from a web server. This section does not teach a user accessing a web-server to download 
an agent from the web-server. 

As another example, the claim recites that the agent includes a public key of the 
application server. The Office Action cites a section of Baker (Col. 9, lines 10-12) that 
discusses "cookies." Applicants respectfully assert that the Office Action is citing 
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unrelated sections of Baker and pasting them together in an effort to teach the limitations 
of claim 11. For at least this reason, Applicants respectfully request withdrawal of the 
rejection. 

As noted, claim 1 1 recites that the agent includes a public key of the application 
server. This limitation is not disclosed in Baker. The Office Action cites Baker (Col. 11, 
lines 34-38) to teach utilizing a public key and then cites Baker (Col. 9, lines 10-12) to 
teach an agent including a public key. Applicants respectfully disagree. Baker (Col. 11, 
lines 34-38) teaches public key encryption, such as employed by a secure sockets layer 
(SSL). Baker (Col 9, lines 10-12) teaches a server to generate a "cookie" that is sent to 
the client. A "cookie" is not a public key. These two terms have entirely different 
meanings to one of ordinary skill in the art. Per Webopedia (see v^w. webopedia.com ), a 
cookie is defined as: "A message given to a Web browser by a Web server. The browser 
stores the message in a text file. The message is then sent back to the server each time the 
browser requests a page fi'om the server." By contrast, a public key is defined as: "A 
cryptographic system that uses two keys ~ a public key known to everyone and a private 
or secret key known only to the recipient of the message." Thus, these sections taken 
together do not teach an agent that includes a public key of the application server. 

As yet another example, claim 1 1 recites that the agent derives a shared session 
key with the applicafion sever by using the public key of the application server. This 
limitation is not taught in Baker. The Office Action cites Baker (Col. 17, lines 7-11). 
Applicants reproduce the cited section of Baker: 

When a client logs onto the web server 632 and is 
authenticated, the client is provided a "session id" which is 
a unique server-generated key. The client holds this and 
returns it to the server as part of subsequent message 
transaction. (Col. 17, lines 6-10). 

Note the difference between the recitations of claim 1 1 and the teachings of this 
section. Claim 1 1 recites that the agent derives the shared session key. The cited section 
of Baker teaches a client that is provided with a session id. In Baker, the client does not 
"derive" the session id. 
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Thus, the cited art does not teach or suggest each and every Hmitation of claim 11. 
All dependent claims that depend from independent claim 1 1 inherit all limitations of the 
base claim. For at least the reasons given in connection w^ith claim 1 1, the dependent 
claims are also allowable over Baker. 

Claim 15 

Claim 15 is rejected under 35 U.S.C. §102 as allegedly anticipated by Baker. 
Claim 15 reads as follows (emphasis added): 

A secure data transfer system for connecting a non -secure node to an application 
server behind a firewall comprising: 

a) a web-server in the non-secure node; 

b) a relay in the non-secure node that is dynamically instantiated by the 
application server, the relay being configured by the application server to have a first 
port for listening for a connection from the application server; 

wherein the application server connects to the relay on the first port and reads data 
from the first port. 

Claim 15 recites numerous limitations that are not taught in Baker. For example, 
claim 15 recites that the relay is "configured by the application server." This Hmitation is 
not taught in Baker. Further, the claim recites that the relay is configured by the 
application server to have "a first port for listening for a connection from the application 
server." This limitation is not taught in Baker. 

The Office Action cites Baker Col. 10, lines 23-34 and Col. 18, lines 13-25. These 
sections are individually addressed. 

The first citation of Baker (i.e., Col. 10, lines 23-34) teaches a proxy server that 
"waits for requests from an application client running on the customer's workstation 10 
and then services the request." (Col. 10, lines 25-27). This section does not teach a relay 
being configured by the application server to have a first port for listening for a 
connection from the application server. 

The second citation of Baker (i.e., Col. 18, lines 13-25) teaches porting the proxy 
server over to the CMIDS (see Figs. 2 and 10). Nowhere does Baker teach a relay being 
configured by the application server to have a first port for listening for a connection 
from the application server. 
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Thus, the cited art does not teach or suggest each and every limitation of claim 15. 
AU^dependent claims that depend from independent claim 15 inherit all limitations of the 
base claim. For at least the reasons given in connection with claim 15, the dependent 
claims are also allowable over Baker. 

Claim 17 

Claim 17 is rejected under 35 U.S.C. §102 as allegedly anticipated by Baker. 
Claim 17 reads as follows (emphasis added): 

A secure data transfer system for establishing an end-to-end secure connection 
between an agent and an application server behind a firewall through a non-secure node 
comprising: 

a) a web-server residing in the non-secure node, the web-server having the 
agent that includes a public key of the application server; 

b) a browser in communication with the web-server for downloading the agent 
from the web-server; 

c) a secure transfer module residing in the non-secure node; and 

d) an application server in a secure zone for initiating a connection to the web- 
server via the secure transfer module. 

On numerous occasions, claim 17 recites recitations pertaining to an agent. Baker 
does not teach the limitations of claim 17 regarding the agent. For brevity reasons, 
Applicants provide a few examples. 

For example, the Office Action cites Baker (at Col. 5, lines 60-61) for teaching 
establishing an end-to-end secure connection between "an agent and an application 
server." This section of Baker teaches a client tier of software on a customer workstation 
that has "one or more downloadable application objects directed to front-end business 
logic." Baker, thus, teaches downloading an application object into a workstation. Baker 
does not teach an agent as recited in claim 17. 

As another example, claim 17 recites: "the web-server having the agent that 
includes a public key of the application server." The Office Action cites Baker (Col. 9, 
lines 10-12) as teaching this recitation. Specifically, Baker teaches: 

The preferred embodiment further associates a given 
HTTPS request with a logical session which is initiated and 
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tracked by a "cookie jar server" 28 to generate a "cookie" 
which is a unique server-generated key that is sent to the 
cHent along with each reply to a HTTPS request. The client 
holds the cookie and returns it to the server as part of each 
subsequent HTTPS request. (Col. 9, lines 7-13) 

This section teaches a server 28 that generates a "cookie" that is sent to a client. 
First, as noted herein, a "cookie" is not a public key. Secondly, the bolded section of 
claim 17 recites four different elements: (1) a web-server, (2) an agent, (3) a public key, 
and (4) an application server. The portion of Baker cited by the Office Action does not 
even include four different elements. Applicants respectfully ask the Office Action to 
specify the portions of Baker that correspond with the elements of claim 17. 

Thus, the cited art does not teach or suggest each and every limitation of claim 17. 
All dependent claims that depend from independent claim 17 inherit all limitations of the 
base claim. For at least the reasons given in connection with claim 17, the dependent 
claims are also allowable over Baker. 



Claim 22 

Claim 22 is rejected under 35 U.S.C. §102 as allegedly anticipated by Baker. 
Claim 22 reads as follows: 



A method, comprising: 

embedding in code of an agent a pubUc key of an application. server that is behind 
a firewall; 

downloading the code of the agent and the public key into a browser; 
verifying the agent to authenticate the public key of the application server; 
establishing a communication link between the application server and a relay 
module that is in a non-secure environment and between the browser and the relay 
' module; and 

securely transferring data from the browser through the relay module to the 
application server without requiring a trusted intermediate party. 

On numerous occasions, claim 22 recites recitations pertaining to an agent. Baker 
does not teach the limitations of claim 22 regarding the agent. Applicants note at least the 
following occurrences: 

1 ) embedding in code of an agent a public key of an application server. 
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2) downloading the code of the agent, and 

3) verifying the agent. 

For brevity reasons. Applicants discuss one additional example to illustrate the 
deficiencies of Baker. Claim 22 recites "embedding in code of an agent a public key of an 
application server." The Office Action cites a section of Baker (Col. 9, lines 10-12) that 
discusses "cookies." A "cookie" is not a public key. These two terms have entirely 
different meanings to one of ordinary skill in the art (see citations herein to Webopedia). 

Thus, the cited art does not teach or suggest each and every limitation of claim 22. 
All dependent claims that depend from independent claim 22 inherit all limitations of the 
base claim. For at least the reasons given in connection with claim 22, the dependent 
claims are also allowable over Baker, 

III. Claims Rejection (Claims 6-8) - 35 USC § 103(a) 

Claims 6-8 are rejected under 35 USC § 103(a) as being unpatentable over Baker 
in view of Cury et al. (USPN 6,237,095). Claims 6-8 depend from claim 1 and, hence, 
inherit all the limitations of the base claim. Since Cury does not cure the deficiencies of 
Baker, claims 6-8 are allowable over the combination of Baker and Cury. 

IV. Claims Rejection (Claims 9-10) - 35 USC § 103(a) 

Claims 9-10 are rejected under 35 USC §103(a) as being unpatentable over Baker 
in view of Boyle et al. (USPN 6,1 19,167). Claims 9-10 depend from claim 1 and, hence, 
inherit all the limitations of the base claim. Since Boyle does not cure the deficiencies of 
Baker, claims 9-10 are allowable over the combination of Baker and Boyle. 

V. Claims Rejection (Claims 12 and 16) - 35 USC § 103(a) 

Claim 12 is rejected under 35 USC § 103(a) as being unpatentable over Baker in 
view of Bradley et al. (USPN 6,584,507). Claim 12 depends from claim 11 and, hence, 
inherits all the limitations of the base claim. Since Bradley does not cure the deficiencies 
of Baker, claim 12 is allowable over the combination of Baker and Bradley, 
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VI. Claim Rejection (Claim 13) - 35 USC § 103(a) 

Claim 13 is rejected under 35 USC § 103(a) as being unpatentable over Baker in 
view of Bradley and Cury. Claim 13 depends from claim 1 1 and, hence, inherits all the 
Hmitations of the base claim. Since Bradley and Cury do not cure the deficiencies of 
Baker, claim 13 is allowable over the combination of Baker, Bradley, and Cury. 

VIL Claim Rejection (Claim 24) - 35 USC § 103(a) 

Claim '24 is rejected under 35 USC §103(a) as being unpatentable over Baker in 
view of Cury. Claim 24 depends from claim 22 and, hence, inherits all the limitations of 
the base claim. Since Cury does not cure the deficiencies of Baker, claim 24 is allowable 
over the combination of Baker and Cury. 



17 



CONCLUSION 

In view of the above, Applicants believe that all pending claims are in condition 
for allowance. Allowance of these claims is respectfully requested. 

Any inquiry regarding this Amendment and Response should be directed to Philip 
S. Lyren at Telephone No. (281) 514-8236, Facsimile No. (281) 514-8332. In addition, 
all correspondence should continue to be directed to the following address: 

Hewlett-Packard Company 

Intellectual Property Administration 
P.O. Box 272400 

Fort Collins, Colorado 80527-2400 



Respectfully submitted, 




Reg. No. 40,709 
Ph: 281-5.14-8236 



CERTIFICATE UNDER 37 C.F.R. 1 .8 : The undersigned hereby certifies that this paper or papers, as described herein, 
are being deposited in the United States Postal Service, as first class mail, in an envelope address to: Commissioner for 
Patents, P.O. Box 1450, Alexandria, VA 22313-1450 on this ^fA^ day of September, 2004. 



By_ 

Name: Be Henry ^ 
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